Password management in virtualized liveCD environemnt?

I recently received heads up from GitHub that my password has been probably compromised (I don’t know their source of info). I can believe that considering that I reuse passwords a lot.

Simple answer is passwords manager and random password for each site except… It’s not that simple in my case.

I’m using virtual machine for internet access with passed through network interface (my primary workstations as in virtualization hosts, are isolated from the internet) which has read-only disk image. All changes are wiped on reboot. I’d like to keep all passwords on host machine and expose only one currently used to internet VM.

One option would be shared clipboard but it’s insecure as shared clipboard may lead to various accidental data leakage incidents. I do use shared folder between host and guest though.

So I wonder what would you recommend for password management in such case?

I considered AES256 encrypted file and two bash scripts - one that would decrypt passwords file, create temporary file on shared VM storage (mounted in ramdisk) with requested password in plaintext and later remove it. Second one in VM to copy content to clipboard in VM and then overwrite it after few seconds to prevent accidental leakage.

The only significant problem with this solution is synchronization of passwords between my workstations. So maybe there are some eaiser / more secure options? I’m afraid lack of internet access in workstations may be somewhat problematic if I want to synchronize passwords. So maybe something ssh based?

KeepassXC might be an option for you. You can sync the .kdbx files and it automatically updates other copies if in a synced folder

1 Like

From best to worst:

  1. Use Keepass and place the database in the shared folder
  2. Use bitwarden. It keeps all of the passwords in the cloud so both computers can access them. (The data is encrypted and only locally decrypted so even bitwarden cannot access your passwords.)
  3. Use MasterPassword (http://masterpassword.app/). This is a novel kind of password safe that doesn’t require any data to be synced in the first place
  4. Use the shared clipboard anyway because it’s still a LOT safer than reusing passwords
1 Like

I kind of like how MasterPassword works. However its really weak point is that it gives enormous power to master password. It’s realistically impossible to change master password so if it leaks it’s kind of game over. Still really neat idea. I like it.

I fully agree. It’s a very cool idea, but has flaws. I’d stick to keepass or bitwarden.

Well, their servers is your biggest weakness. So as far as security is consirned, you have no control over it.

If you don’t mind hosting your password database on the cloud you can also use app.keeweb.info as your password manager to unlock keepass-type databases. Keeweb can also be used as a local password manager.

I use keepassxc locally, and keeweb on computers that I sorta trust but on which I don’t want to install software or permanently store my password database.

It doesn’t use servers. MasterPassword does not store any data that would have to be synchronized.

It uses master password as kind of seed to their algorithm which is deterministic. All passwords are generated only using this master password that’s why it’s stateless and every Master Password instance will generate exactly the same passwords, given the same master password as input. It’s basically deterministic random string generator that uses given master password as initial seed and name of service as salt. So every time master password + service string will give the same result. That’s why it’s offline and stateless.

Being fully offline, it’s really suitable for airgapped or semi airgapped environments like mine. Databases on shared storage that are not designed to be shard tend to be troublesome, especially with concurrent write access.

I’ve been using KeepassXC for that exact reason. It works well with concurrent access and team password stores. I am just sceptical of providing our corporate passwords to any password service I guess. Atleast we can put our keepass on ACL controlled folders and don’t have to worry to much about it.